Earlier this year, Microsoft prepared its services to be compliant with Europe’s strict new General Data Protection Regulation (GDPR). While companies like Facebook has faced threats of prosecution for breaking GDRP rules, Microsoft has insisted it was fully compliant. However, investigators in the Netherlands believe Microsoft Office could break some of the regulations.
Specifically, Dutch authorities say a telemetry data function in Microsoft Office breaks GDPR rules. The investigators go as far as to say Microsoft has participated in a “large scale and covert collection of personal data” through Office 2016 and Office 365.
Eight points of interest have been identified, including a lack of option to turn off Microsoft Office telemetry data collection. Furthermore, the investigators say they were unable to find any documentation highlighting what data Microsoft gathers.
Of course, some of the data collected by Microsoft includes standard diagnostics and functionality information. The investigators acknowledge this data as standard industry practice. Unfortunately, the same cannot be said for the actual user data the company seemingly gathers, such as email subjects and content through Microsoft Translate.
Back in 2017, Microsoft insisted it would be ready for GDPR laws when they came into effect in 2018. In April this year, the company moved Azure and Office 365 cloud operations to European-based datacenters on the continent in an effort to appease lawmakers.
Dutch investigators seem to contest this migration was wholesale. They say telemetry data is sending Dutch Microsoft Office users to US-based servers. Aside from flaunting GDPR laws, this would mean that data is open to US law enforcement agencies.
Microsoft has regularly received criticism for its less than clear data gathering policy on Windows 10. Interestingly, it seems Office is gathering far more data than the company’s PC platform. The team found Microsoft gathers up to 25,000 Office events which it makes available to dozens of engineering teams.
To see the full report, including the 8 issues investigators found, click here.
While Microsoft has not released a statement, the Dutch investigators say the company has been co-operative. Indeed, Redmond has already launched a new telemetry setting for Office that deals with issues number 1 and 2 in the report.
Work is ongoing to address numbers 3 through 8 from the report. Microsoft has pledged to publish documentation to show its Office telemetry model and provide clearer options to users to select which data they want to share.